Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for
openSUSE:Factory checked in at 2021-06-01 10:39:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1898 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Tue Jun 1 10:39:54 2021 rev:6 rq:896476 version:20210601
Changes:
--------
---
/work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes
2021-05-08 22:08:46.937388011 +0200
+++
/work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1898/cargo-audit-advisory-db.changes
2021-06-01 10:41:31.573228237 +0200
@@ -1,0 +2,15 @@
+Tue Jun 01 01:28:10 UTC 2021 - wbr...@suse.de
+
+- Update to version 20210601:
+ * Assigned RUSTSEC-2021-0069 to lettre (#925)
+ * Add lettre smtp vulnerability (#924)
+ * Assigned RUSTSEC-2021-0068 to iced-x86 (#923)
+ * iced-x86: fix lint (#922)
+ * Add advisory for iced-x86 soundness bug (#914)
+ * Assigned RUSTSEC-2021-0067 to cranelift-codegen (#921)
+ * fixes #915 - remove duplicate word (#916)
+ * Add RUSTSEC notice for CVE-2021-32629, a Cranelift miscompilation bug.
(#918)
+ * Bump rustsec-admin to v0.4.3 (#919)
+ * evm-core: fix crate name (#911)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20210507.tar.xz
New:
----
advisory-db-20210601.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.0KynPm/_old 2021-06-01 10:41:32.041229034 +0200
+++ /var/tmp/diff_new_pack.0KynPm/_new 2021-06-01 10:41:32.041229034 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20210507
+Version: 20210601
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.0KynPm/_old 2021-06-01 10:41:32.069229081 +0200
+++ /var/tmp/diff_new_pack.0KynPm/_new 2021-06-01 10:41:32.069229081 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20210507</param>
+ <param name="version">20210601</param>
<param name="revision">master</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">wbr...@suse.de</param>
++++++ advisory-db-20210507.tar.xz -> advisory-db-20210601.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210507/.duplicate-id-guard
new/advisory-db-20210601/.duplicate-id-guard
--- old/advisory-db-20210507/.duplicate-id-guard 2021-05-07
01:45:32.000000000 +0200
+++ new/advisory-db-20210601/.duplicate-id-guard 2021-05-22
20:13:18.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-0ebb4b8968ecfc3c4e67cc1851642dfa8b0b61fe7bde39d0807e3cebe51000c2 -
+ff091e2402596ebe5667596b7b07f686f263921249d154a8b98e063059c521aa -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210507/.github/workflows/assign-ids.yml
new/advisory-db-20210601/.github/workflows/assign-ids.yml
--- old/advisory-db-20210507/.github/workflows/assign-ids.yml 2021-05-07
01:45:32.000000000 +0200
+++ new/advisory-db-20210601/.github/workflows/assign-ids.yml 2021-05-22
20:13:18.000000000 +0200
@@ -15,12 +15,12 @@
uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.4.2
+ key: rustsec-admin-v0.4.3
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.4.2
+ cargo install rustsec-admin --vers 0.4.3
fi
- name: Assign IDs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210507/.github/workflows/publish-web.yml
new/advisory-db-20210601/.github/workflows/publish-web.yml
--- old/advisory-db-20210507/.github/workflows/publish-web.yml 2021-05-07
01:45:32.000000000 +0200
+++ new/advisory-db-20210601/.github/workflows/publish-web.yml 2021-05-22
20:13:18.000000000 +0200
@@ -14,10 +14,10 @@
- uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.4.2
+ key: rustsec-admin-v0.4.3
- run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.4.2
+ cargo install rustsec-admin --vers 0.4.3
fi
rustsec-admin web .
git config user.name github-actions
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210507/.github/workflows/validate.yml
new/advisory-db-20210601/.github/workflows/validate.yml
--- old/advisory-db-20210507/.github/workflows/validate.yml 2021-05-07
01:45:32.000000000 +0200
+++ new/advisory-db-20210601/.github/workflows/validate.yml 2021-05-22
20:13:18.000000000 +0200
@@ -16,12 +16,12 @@
uses: actions/cache@v1
with:
path: ~/.cargo/bin
- key: rustsec-admin-v0.4.2
+ key: rustsec-admin-v0.4.3
- name: Install rustsec-admin
run: |
if [ ! -f $HOME/.cargo/bin/rustsec-admin ]; then
- cargo install rustsec-admin --vers 0.4.2
+ cargo install rustsec-admin --vers 0.4.3
fi
- name: Lint advisories
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/advisory-db-20210507/README.md
new/advisory-db-20210601/README.md
--- old/advisory-db-20210507/README.md 2021-05-07 01:45:32.000000000 +0200
+++ new/advisory-db-20210601/README.md 2021-05-22 20:13:18.000000000 +0200
@@ -1,7 +1,7 @@
# RustSec Advisory Database
[![Build Status][build-image]][build-link]
-![Maintained: Q1 2021][maintained-image]
+![Maintained: Q2 2021][maintained-image]
[![Project Chat][chat-image]][chat-link]
The RustSec Advisory Database is a repository of security advisories filed
@@ -45,7 +45,7 @@
package = "mycrate"
# Disclosure date of the advisory as an RFC 3339 date (mandatory)
-date = "2019-10-01"
+date = "2021-01-31"
# URL to a long-form description of this issue, e.g. a GitHub issue/PR,
# a change log entry, or a blogpost announcing the release (optional)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210507/crates/anymap/RUSTSEC-2021-0065.md
new/advisory-db-20210601/crates/anymap/RUSTSEC-2021-0065.md
--- old/advisory-db-20210507/crates/anymap/RUSTSEC-2021-0065.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210601/crates/anymap/RUSTSEC-2021-0065.md 2021-05-22
20:13:18.000000000 +0200
@@ -0,0 +1,18 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0065"
+package = "anymap"
+date = "2021-05-07"
+informational = "unmaintained"
+url = "https://github.com/chris-morgan/anymap/issues/37";
+[versions]
+patched = []
+unaffected = []
+```
+
+# anymap is unmaintained.
+
+The `anymap` crate does not appear to be maintained, and the most recent
+published version 0.12.1 includes a soundness bug. This has been
+[fixed](https://github.com/chris-morgan/anymap/pull/32) a few years ago, but
+was never released.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210507/crates/cranelift-codegen/RUSTSEC-2021-0067.md
new/advisory-db-20210601/crates/cranelift-codegen/RUSTSEC-2021-0067.md
--- old/advisory-db-20210507/crates/cranelift-codegen/RUSTSEC-2021-0067.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210601/crates/cranelift-codegen/RUSTSEC-2021-0067.md
2021-05-22 20:13:18.000000000 +0200
@@ -0,0 +1,28 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0067"
+package = "cranelift-codegen"
+date = "2021-05-21"
+url =
"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5";
+categories = ["code-execution", "memory-corruption", "memory-exposure"]
+keywords = ["miscompile", "sandbox", "wasm"]
+aliases = ["CVE-2021-32629"]
+
+[versions]
+patched = [">= 0.73.1", ">= 0.74"]
+
+[affected]
+arch = ["x86"]
+```
+
+# Memory access due to code generation flaw in Cranelift module
+
+There is a bug in 0.73.0 of the Cranelift x64 backend that can create a
+scenario that could result in a potential sandbox escape in a WebAssembly
+module. Users of versions 0.73.0 of Cranelift should upgrade to either 0.73.1
+or 0.74 to remediate this vulnerability. Users of Cranelift prior to 0.73.0
+should update to 0.73.1 or 0.74 if they were not using the old default backend.
+
+More details can be found in the GitHub Security Advisory at:
+
+<https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hpqh-2wqx-7qp5>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210507/crates/evm-core/RUSTSEC-2021-0066.md
new/advisory-db-20210601/crates/evm-core/RUSTSEC-2021-0066.md
--- old/advisory-db-20210507/crates/evm-core/RUSTSEC-2021-0066.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210601/crates/evm-core/RUSTSEC-2021-0066.md
2021-05-22 20:13:18.000000000 +0200
@@ -0,0 +1,20 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0066"
+package = "evm-core"
+date = "2021-05-11"
+url = "https://github.com/rust-blockchain/evm";
+categories = ["denial-of-service"]
+
+[versions]
+patched = [">= 0.26.1", "0.25.1", "0.24.1", "0.23.1", "0.21.1"]
+```
+
+# Denial of service on EVM execution due to memory over-allocation
+
+Prior to the patch, when executing specific EVM opcodes related
+to memory operations that use `evm_core::Memory::copy_large`, the
+crate can over-allocate memory when it is not needed, making it
+possible for an attacker to perform denial-of-service attack.
+
+The flaw was corrected in commit `19ade85`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210507/crates/iced-x86/RUSTSEC-2021-0068.md
new/advisory-db-20210601/crates/iced-x86/RUSTSEC-2021-0068.md
--- old/advisory-db-20210507/crates/iced-x86/RUSTSEC-2021-0068.md
1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20210601/crates/iced-x86/RUSTSEC-2021-0068.md
2021-05-22 20:13:18.000000000 +0200
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0068"
+package = "iced-x86"
+date = "2021-05-19"
+url = "https://github.com/icedland/iced/issues/168";
+keywords = ["soundness"]
+
+[affected]
+functions = { "iced_x86::Decoder::new" = ["<= 1.10.3"] }
+
+[versions]
+patched = ["> 1.10.3"]
+```
+
+# Soundness issue in `iced-x86` versions <= 1.10.3
+
+Versions of iced-x86 <= 1.10.3 invoke undefined behavior which may cause
soundness
+issues in crates using the `iced_x86::Decoder` struct. The `Decoder::new()`
function
+made a call to `slice.get_unchecked(slice.length())` to get the end position
of
+the input buffer. The flaw was fixed with safe logic that does not invoke
undefined
+behavior.
+
+More details can be found at <https://github.com/icedland/iced/issues/168>.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210507/crates/kekbit/RUSTSEC-2020-0129.md
new/advisory-db-20210601/crates/kekbit/RUSTSEC-2020-0129.md
--- old/advisory-db-20210507/crates/kekbit/RUSTSEC-2020-0129.md 2021-05-07
01:45:32.000000000 +0200
+++ new/advisory-db-20210601/crates/kekbit/RUSTSEC-2020-0129.md 2021-05-22
20:13:18.000000000 +0200
@@ -7,7 +7,7 @@
categories = ["memory-corruption", "thread-safety"]
[versions]
-patched = []
+patched = [">= 0.3.4"]
```
# ShmWriter allows sending non-Send type across threads
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210507/crates/lettre/RUSTSEC-2021-0069.md
new/advisory-db-20210601/crates/lettre/RUSTSEC-2021-0069.md
--- old/advisory-db-20210507/crates/lettre/RUSTSEC-2021-0069.md 1970-01-01
01:00:00.000000000 +0100
+++ new/advisory-db-20210601/crates/lettre/RUSTSEC-2021-0069.md 2021-05-22
20:13:18.000000000 +0200
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2021-0069"
+package = "lettre"
+date = "2021-05-22"
+url =
"https://github.com/lettre/lettre/pull/627/commits/93458d01fed0ec81c0e7b4e98e6f35961356fae2";
+categories = ["format-injection"]
+keywords = ["email", "smtp"]
+aliases = ["GHSA-qc36-q22q-cjw3"]
+
+[versions]
+patched = [">= 0.10.0-rc.3", "< 0.10.0-alpha.1, >= 0.9.6"]
+unaffected = ["< 0.7.0"]
+
+[affected.functions]
+# smtp transport
+"lettre::smtp::SmtpTransport::send" = ["< 0.10.0-alpha.1"]
+"lettre::transport::smtp::SmtpTransport::send" = [">= 0.10.0-alpha.1, <
0.10.0-rc.3"]
+"lettre::transport::smtp::SmtpTransport::send_raw" = [">= 0.10.0-alpha.1, <
0.10.0-rc.3"]
+```
+
+# SMTP command injection in body
+
+Affected versions of lettre allowed SMTP command injection through an
attacker's controlled message body. The module for escaping lines starting with
a period wouldn't catch a period that was placed after a double CRLF sequence,
allowing the attacker to end the current message and write arbitrary SMTP
commands after it.
+
+The flaw is fixed by correctly handling consecutive CRLF sequences.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/advisory-db-20210507/crates/traitobject/RUSTSEC-2020-0027.md
new/advisory-db-20210601/crates/traitobject/RUSTSEC-2020-0027.md
--- old/advisory-db-20210507/crates/traitobject/RUSTSEC-2020-0027.md
2021-05-07 01:45:32.000000000 +0200
+++ new/advisory-db-20210601/crates/traitobject/RUSTSEC-2020-0027.md
2021-05-22 20:13:18.000000000 +0200
@@ -16,7 +16,7 @@
patched = []
```
-# traitobject assumes assumes the layout of fat pointers
+# traitobject assumes the layout of fat pointers
This crate gets the data pointer from fat pointers assuming that the first
element in a fat pointer is the data pointer. This is currently true, but
